[55102] in North American Network Operators' Group
Re: New worm / port 1434?
daemon@ATHENA.MIT.EDU (Josh Richards)
Sat Jan 25 09:23:38 2003
Date: Sat, 25 Jan 2003 03:12:40 -0800
From: Josh Richards <jrichard@cubicle.net>
To: nanog@nanog.org
In-Reply-To: <20030125065917.GB26859@cubicle.net>
Errors-To: owner-nanog-outgoing@merit.edu
Note, further analysis makes me believe that the ICMP we saw immediately
beforehand was a coincidence and unrelated. The origin of the ICMP has
been traced to a customer application.
-jr
* Josh Richards <jrichard@cubicle.net> [20030125 00:21]:
>
> A preliminary look at some of our NetFlow data shows a suspect ICMP payload
> delivered to one of our downstream colo customer boxes followed by a
> 70 Mbit/s burst from them. The burst consisted of traffic to seemingly random
> destinations on 1434/udp. This customer typically does about 0.250 Mbit/s
> so this was a bit out of their profile. :-) Needless to say, we shut them
> down per a suspected security incident. The ICMP came from 66.214.194.31
> though that could quite easily be forged or just another compromised box.
> We're seeing red to many networks all over the world though our network seems
> to have quieted down a bit. Sounds like a DDoS in the works.
>
> Anyone else able to corroborate/compare notes?
----
Josh Richards <jrichard@{ geekresearch.com, cubicle.net, digitalwest.net }>
Geek Research, LLC - Digital West Networks, Inc - San Luis Obispo, CA
KG6CYK - IP/Unix/telecom/knowledge/coffee/security/crypto/business/geek
